Post-Quantum Secure Identity-Based Signature Scheme with Lattice Assumption for Internet of Things Networks

The Internet of Things (IoT) plays an essential role in people’s daily lives, such as healthcare, home, traffic, industry, and so on. With the increase in IoT devices, there emerge many security issues of data loss, privacy leakage, and information temper in IoT network applications. Even with the development of quantum computing, most current information systems are weak to quantum attacks with traditional cryptographic algorithms. This paper first establishes a general security model for these IoT network applications, which comprises the blockchain and a post-quantum secure identity-based signature (PQ-IDS) scheme. This model divides these IoT networks into three layers: perceptual, network, and application, which can protect data security and user privacy in the whole data-sharing process. The proposed PQ-IDS scheme is based on lattice cryptography. Bimodal Gaussian distribution and the discrete Gaussian sample algorithm are applied to construct the fundamental difficulty problem of lattice assumption. This assumption can help resist the quantum attack for information exchange among IoT devices. Meanwhile, the signature mechanism with IoT devices’ identity can guarantee non-repudiation of information signatures. Then, the security proof shows that the proposed PQ-IDS can obtain the security properties of unforgeability, non-repudiation, and non-transferability. The efficiency comparisons and performance evaluations show that the proposed PQ-IDS has good efficiency and practice in IoT network applications.


Introduction
The Internet of Things (IoT) plays a very essential role in people's daily production and life [1].As daily travel, consumption, production, medical treatment, etc., are gradually becoming digital and intelligent, a variety of smart IoT devices surround people's lives.Although these IoT devices provide convenience, they also bring many security threats to people's lives and property safety.IoT network security is gaining much attention with the IoT network development [2].
The security issue is the most essential part of data sharing among different IoT devices through the public network.As shown in Figure 1, data security and user identity privacy should be given more consideration in IoT network applications, such as the Internet of Medical Things (IoMT) [3], the Home Internet of Things (Home IoT) [4], the Internet of Vehicles (IoV) [5], and the Industrial Internet of Things (IIoT) [6].In IoMT systems, medical data are essential in medical diagnosis, drug development, disease prediction, and medical device creation.The security of medical data and user privacy is the guarantee for data value play.In the Home IoT, smart home devices collect data about the user's daily life, health condition, living habits, and personal privacy.These data are related to the safety of users' lives and property.In IoV systems, smart driving cars, cameras, and traffic lights collect information about roads, traffic, logistics, and more in real time.Infrastructure information, such as geography and transportation, is relevant to national security.In IIoT systems, people, machines, materials, materials, law, environment, enterprise upstream and downstream, products, users, and other elements are connected to achieve data transmission between elements.It provides identity data acquisition, label management, identity registration, identity analysis, data processing, and identity data modeling functions to achieve the marking, management, and positioning of elements, and the industrial Internet identity resolution security mechanism has become the basis of industrial Internet applications.IoT data are becoming a more important asset for IoT network applications, which plays an essential role in process improvement, industrial upgrading, and social progress.Data security and user privacy security are two main parts of most IoT network applications that should be given more consideration.Blockchain is a distributed data management technology that utilizes the consensus mechanism and cryptographic algorithm to achieve secure data sharing in different and strange modes [7].The consensus mechanism helps the system achieve distributed consensus with a uniform ledger for the whole network, for example, proof of work (PoW) [8], proof of stake (PoS) [9].The cryptographic algorithm helps the system achieve, for example, DES [10], ECC [11].With the deepening of the application of blockchain technology in IoT network applications, there emerge many different kinds of chains with different distributed structures, consensus protocols, and cryptographic algorithms.These chains bring the IoT networks back to a centralized model as the IoT data cannot be freely shared among different IoT devices.So, cross-chain technology has gained more attention in recent years.
Cryptography is a general technology that utilizes difficult mathematical problems to achieve secure data sharing among public Internet work [12].However, the development of quantum algorithms threatens current classical cryptographic algorithms-based IoT network applications [13].Lattice cryptography is a promising anti-quantum theory that utilizes lattice assumptions to improve post-quantum security [14].For example, the Number Theory Research Unit (NTRU) consists of the convolution of polynomials, which is based on the shortest vector problem (SVP) on a lattice theory [15].It uses truncated polynomial rings to encrypt and decrypt data.GGH is an asymmetric cryptographic algorithm constructed by the nearest vector problem [16].Learning With Errors (LWE) is an unsolvable problem in machine learning that can be reduced to a SIVP lattice problem [17].There is a variant of ring-based LWE where polynomials replace the integer vectors in the LWE problem.The identity-based signature mechanism utilizes the identity of IoT devices to establish the traceability mechanism for IoT data sharing.
This paper focuses on the security issues of data loss, privacy leakage, and antiquantum weakness in most current IoT network applications, and proposes a PQ-IDS to improve the data-sharing security among different IoT devices.The main contributions of this paper are summarized as follows.

1.
A security model is constructed with blockchain and the PQ-IDS algorithm for IoT network applications.This model divides the IoT network into three layers: perceptual, network, and application, which help to establish a distributed and secure data-sharing mechanism for IoT network applications.

2.
A PQ-IDS scheme is proposed based on lattice assumption, and it inserts the IoT device's identity into the signature scheme to achieve the traceability of IoT data sharing among the IoT network.This scheme helps to achieve anti-quantum attack security with the lattice cryptography theories.

3.
Security analysis and proof about the correctness, unforgeability, non-repudiation, traceability, and post-quantum security are presented.The performance evaluations of key-size data-sharing transactions are presented.These results show the efficiency and practicality of the proposed security model and PQ-IDS scheme.
Next, Section 2 gives some related work, Section 3 gives some preliminaries, Section 4 gives the PQ-IDS scheme, Section 5 gives the security proof of the PQ-IDS scheme, Section 6 gives the efficiency comparison and performance, and Section 7 gives the conclusion.

IoT Network Security
In IoT network applications, there exist a lot of attacks, such as deception, information leakage, tampering, denial of service (DoS), and privilege escalation, which threaten the personal and property safety of the system users.For the deception attack, Rehman et al. [18] utilized the model-based method to construct a proactive defense framework, which aggregated the technologies of proactive defense mechanisms and cyber deception to resist the deception attack in IoT networks.For the information leakage, Xu et al. [19] established a data-sharing framework with blockchain technology for IIoT, and inserted federated learning into this scheme to improve the tamper-proof and decentralized capabilities.Singh et al. [20] constructed a privacy-preserving model for IoMT with blockchain and zero-knowledge proof, which strengthened the adaptability in lightweight computer devices.For the tampering, Zhang et al. [21] introduced a malware traffic classification model dependent on neural architecture search, which could improve the searchability of the optimal model in a realistic IoT environment.Li et al. [22] designed a hierarchical and multi-group data-sharing scheme for IIoT, which could improve the data access control ability against the key leakage resilience attack.For the DoS, Malik et al. [23] introduced a detect model based on feature engineering and machine learning, which achieved resisting distributed DoS in standardized IoT.Khanday et al. [24] proposed an intrusion detection platform based on machine learning and deep learning classifiers for IoT networks, which could improve the detection accuracy and efficiency of DDoS attacks.For the privilege escalation, Mehmood et al. [25] constructed an insider threat detection and classification framework based on machine learning, and introduced a systematic approach to resist the privilege escalation in relation to the anomalies and security problems.However, the methods used in these references are all classical cryptographic algorithms, which cannot resist quantum attacks.This paper plans to utilize blockchain technology and a post-quantum signature algorithm to provide anti-quantum security for data-sharing in IoT networks.

Signatures for IoT Networks
Digital signatures play an essential role in the data-sharing processes in different IoT network applications.In particular, the identity-based signature (IDS) has widespread application due to its identification mechanisms and traceability.Liu et al. [26] designed a distributed multi-signature scheme with discrete logarithms to improve the security and efficiency of IoT identification with centralized signature schemes.Jia et al. [27] designed a certificateless signature protocol with an ECC-based discrete logarithm problem, and stated that it was more suitable for resource-limited IoT devices.Du et al. [28] figured out the security weakness of the scheme in Ref. [27], and presented a new signature scheme with the ECC cryptosystem, which could resist the forger attack from the super adversaries.Li et al. [29] gave an aggregate signature scheme to strengthen the security of large-scale data transmission in IIoT, which also utilized blockchain technology to achieve secure, distributed, and autonomous data management.Bao et al. [30] presented an identity management scheme to protect identity privacy for IIoT, and took the blockchain technology together to achieve distributed privacy-preserving.
In most current IoT network applications, the IDS schemes constructed by large integer factorization and discrete logarithm problems have good applicability to satisfy the needs of IoT devices with high throughput and low latency.However, these IDS schemes cannot resist the quantum attack [31].Therefore, post-quantum cryptography has gained more attention in current academia and industry to improve the security properties of anti-quantum attacks.Lattice cryptography is one promising post-quantum algorithm.Srivastava et al. [32] presented an identity-based multi-signature scheme with a multivariate quadratic problem, which could achieve anti-quantum security for realtime information exchange in IoV.Wang et al. [33] introduced a proxy signature scheme with lattice assumption, which utilized the lattice basis delegation and preimage sample technologies to achieve post-quantum secure IoT.Wu et al. [34] designed an ID-based proxy signature based on the NTRU lattice and utilized message recovery technology to guarantee secure message exchange among different IoT devices.Prajapat et al. [35] gave an ID-based aggregate signature based on lattice cryptography, which could improve the messages promptly, vehicle identity confidentiality, and authentication swiftly in the vehicle ad hoc networks (VANETs).Sun et al. [36] utilized the path signature to construct an XAI-enabled network, which could achieve efficient time series classification.The simple comparisons of these former schemes are shown in the following Table 1.Although these lattice-based IDS schemes strengthen the anti-quantum ability of IoT networks, there still exist some security issues of privacy leakage, big key size, and high-performance consumption.This paper plans to design a post-quantum secure IDS for general IoT network applications.Efficiency to be improved Yes

Preliminaries 3.1. Lattice Theory
Some definitions of the lattice theories are presented, which are in relation to the construction of the DVS scheme.First and foremost, some notations of parameters used in this paper are explained in Table 2.The cryptographic Hash function 1) as follows: The matrices A = (a 1 , • • • , a m ) ⊂ R n×m establish a basis for the lattice Λ with dimension n and rank m.In general, n and m satisfy m = O(n log q).Definition 2. q-ary Lattice [14] "q-ary" lattice is defined with a prime number q, matrix A ∈ Z n×m q , which is shown in Equation (2) as follows: Definition 3. Gaussian distribution [37]: With standard deviation σ ∈ R and center c ∈ R evaluated at x ∈ R, the Gaussian distribution is defined by ρ c,σ (x) = exp( −(x−c) 2 2σ 2 ), and more generally by ρ c,σ (x) = exp( −||x−c|| 2 2σ 2 ) for x, c ∈ R n .Here, ρ σ (x) represents the Gaussian distribution when the center c = 0. D σ (x) = ρ σ (x)/ρ σ (Z) represents the discrete Gaussian distribution over Z with center c = 0. D σ (x) = ρ σ (x)/ρ σ (Z m ) represents the more general situation over Z m with center c = 0.
is a problem to find non-zero v ∈ ℜ m q to achieve Equation (3), as follows: where A ∈ ℜ n * m q , and ||v|| 2 ≤ β.

Model Definitions
(1) Scheme model For an ID-based signature, there are four probabilistic polynomial time algorithms: Setup, KeyExt, Sign, and Verify.

•
Setup(1 n ): Given a security parameter n and parameters q and m, KGC derives some public parameters pp and the master key msk.(

2) Security model
To prove the security of this ID-based signature, it generally establishes a queryresponse game in a random oracle model.By making reasonable assumptions about the adversary A in the game, it can derive a contradiction that does not correspond to reality by utilizing the proof by contradiction.Then, it will derive that the ID-based signature is secure.Next are the detailed descriptions of this security model.

•
Initialize: C executes the Setup algorithm to derive the system pp.The lattice assumption SIS cannot be solved with the current highest computing power.This implies that the hypothesis of the former adversary A is invalid.

PQ-IDS for IoT Network Applications
This section first introduces a security model for IoT network applications and then designs a post-quantum identity-based signature (PQ-IDS) scheme with the lattice assumption.

Security Model for IoT Network Application
As the former described in Section 1, the security issue is an essential part of information communication and data exchange processes in every IoT application, such as IoMT, Home IoT, IoV, and IIoT.This section divides the IoT network into three layers: perceptual, network, and application (as shown in Figure 2), and gives detailed descriptions of these three layers, security demands, and solutions.Network layer: This layer is a data transmission process.The selected data are transmitted through the public network, such as the Internet, cloud, or blockchain.Under the help of communication protocol, these data are transmitted into the transaction Tx, and they also contain the signatures of IoT devices or device owners.Through those public networks, these transactions go to the node that needs them.Meanwhile, it needs a server with enough storage space for data storage and management.The Internet and cloud networks are generally public, which cannot provide a strong security guarantee for cross-domain data sharing.Blockchain technology changes the traditional centralized form to a distributed form, which improves data-sharing transparency and cross-institution data-sharing ability.As in blockchain-based IoT networks, the system transaction verification also can be executed by the PQ-IDS to achieve network-wide consistency.Some security issues of data tampering, malicious theft, and other network attacks generally occur in this layer.

•
Application layer: This is a data-utilizing process.A number of IoT devices are included in the IoT network, which continuously performs data exchange and processing.The collection, storage, calculation, and analysis of massive data support different IoT application purposes for people's daily lives.For example, IoV data can solve some complex problems in traffic.On the one hand, the data can help understand the traffic flow situation, and improve the driving route for the vehicle owner; On the other hand, the data can also provide decision making for the traffic department in the aspects of road planning, real-time scheduling of signal lights, and vehicle diversion.More importantly, the PQ-IDS scheme plays an essential role in guaranteeing data credibility.This is because the operations throughout the life cycle of the data are recorded, and the identity information of all operators can be traced through signature verification.
In order to trace the data source and find the IoT fault point, it is imperative to label the identity of the operator in the processes of data generation, transmission, processing, and use.Identity-based signatures can guarantee security, integrity, and non-repudiation, which can help to achieve IoT data secure transmission and utilization.Meanwhile, current IoT network-based information systems are equated with traditional cryptographic algorithms that cannot provide security in the quantum computer age.This paper designs a postquantum identity-based signature (PQ-IDS) scheme with lattice assumption, which can cover the security demands for data-sharing among IoT devices in different layers of the IoT network.

Details of PQ-IDS
To improve the privacy security of data-sharing transactions in BIoMT, an identitybased signature scheme with lattice assumption has been given.Next, this scheme mainly contains four algorithms.
Setup (1 n ): Given the security parameter n, a prime number q with q = q(n) ≥ 3, a positive integer m with m ≥ 5nlogq, L = O( nlogq), and σ = L • ω( logn), the KGC first derives the system parameters and master private key.Details of this algorithm are presented in Algorithm 1.

Algorithm 1 Setup
Input: Security parameter κ, a prime number q, a positive integer m Output: Public parameter pp and master key msk 1: KGC derives an approximate random distribution matrix mpk = A ∈ Z n×m q as the master public key, and a basis T ∈ Z m×m q from Λ ⊥ (A), which satisfy || T|| ≤ L; 2: Selects two hash functions H 1 : {0, 1} * → Z n q , H 2 : {0, 1} * → Z q ; 3: Serves msk = T; 4: Outputs pp = {A, H 1 , H 2 }, and keeps msk = T secretly.KeyExt (ID i , msk, pp): Given the system user's identity ID i , KGC generates the key pairs (pk, sk) in relation to ID i .Details of this algorithm are presented in Algorithm 2.

Algorithm 2 KeyExt
Input: pp, msk, and system user's identity ID i Output: Key pairs (pk, sk) q , where σ ≥ || T||ω( logm), a ID i modq = A • s ID i , and ||s ID i || ≤ σ √ m; 3: Outputs the public key pk = a ID i and secret key sk = s ID i for system user with ID i .
Sign (pp, pk, sk, µ): Given the message µ, the signer utilizes his secret key sk to sign on the data-sharing transaction.Details of this algorithm are presented in Algorithm 3.

Algorithm 3 Sign
Input: Message µ, system public key A, signer's private key s ID i Output: Signature Reject it 3: end if 4: if ||e|| ∞ > q/4 then 5: Reject it 6: end if 7: If c = H 2 (Ae − a ID i c mod q, µ), accept; otherwise, reject.This PQ-IDS scheme establishes data verification, identity authentication, and datatraceable mechanisms for IoT data sharing.Meanwhile, the lattice assumption guarantees the anti-quantum attack property for IoT network applications.

Example Application
This subsection presents an example application analysis of the former proposed security model and PQ-IDS scheme into the blockchain-based IoMT system.This signature scheme acts as two roles in the blockchain transactions in the IoMT system: the transaction signature and system transaction verification.Under the proposed security model, the data-sharing transaction through the blockchain-based IoMT system can be divided into the following six steps, also shown in the following Figure 3.In general, the proposed security model with a PQ-IDS scheme provides a fundamental framework for data-sharing in the blockchain-based IoMT system.It is also suitable for privacy protection in the data-sharing processes in other IoT network applications.

Security Analysis
This security analysis of the PQ-IDS scheme is given in this section.The correctness analysis is given first, and then the unforgeability, non-repudiation, and non-transferability are proved in the random oracle model under the principle defined in the former section.
Detailed processes of the equation Ae − a ID i c = Ax modq are shown in Equation ( 5) as follows:

Unforgeability
Theorem 1.This PQ-IDS is secure against the forgery attack as this signature cannot be forged under the hardness of SIS problem Z − SIS κ q,n,m,β .
Proof.A query-response game is established first in which an adversary A acts as the query member, and a challenger C acts as the response member.Then, these two members execute this game to prove that this PQ-IDS can capture the security property of unforgeability.In this game, A attempts to obtain enough signature information (without the target message µ * and user ID * i ) and has the ability to create a valid signature.C responds to A's queries according to the signature scheme construction, and attempts to solve a Z − SIS κ q,n,m,β instance with the knowledge of the forged signature in polynomial time.Next are the detailed steps of the query-response game.

•
Query: A queries the Hash, secret key, and signature algorithms with enough times in polynomial time, respectively.
-H 1 query: A queries the hash function H 1 about the user's identity ID i .Next, C keeps a list L H 1 to store these query results.When they obtain the queries from A, C first checks the list L H 1 whether the result pair (a ID i , ID i ) exists or not.If yes, they send a ID i to A as the response of H 1 's query about ID i .If no, they compute a ID i = H 1 (ID i ), send a ID i to A, and record (a Here, A can execute this query with enough times q H 1 about different identities {ID 1 , ID 2 , . . ., ID q H 1 }.-H 2 query: A queries the hash function H 2 about the message µ i (is not the target message µ * ).Next, C keeps a list L H 2 to store these query results.When they obtain the queries from A, C first checks the list L H 2 whether the result pair (c i , µ i ) exists or not.If yes, they send c i to A as the response of H 2 's query about Iµ i .If no, they randomly choose x ∈ D m σ , compute c = H 2 (Ax, µ i ), send c i to A, and record (c i , µ i ) in the list L H 2 .Here, A can execute this query with enough times q H 2 about different messages {µ 1 , µ 2 , . . ., µ q H 2 }.

-
Private key query: A queries the private key of the user ID i (is not the target user ID * i ).Next, C keeps a list L P to store these query results.When they obtain the queries from A, C first checks the list L P whether the result pair (s ID i , ID i ) exists or not.If yes, they send s ID i to A as the response of a private key query about ID i .If no, they compute s ID i ← Samplepre(A, T, a ID i , σ) ∈ Z m q , sends s ID i to A, and records (s ID i , ID i ) in the list L P .Here, A can execute this query with enough times q P about different identities {ID 1 , ID 2 , . . ., ID q P }. -Signature query: A queries the signature of the user ID i about the message µ i (is not the target message µ * and user ID * i ).Next, C keeps a list L S to store these query results.When they obtain the queries from A, C first checks the list L S whether the result pair (e i , c i , ID i , µ i ) exists or not.If yes, they send s ID i to A as the response of a private key query about ID i .If no, they execute the Hash algorithm H 2 to obtain (c i , µ i ), compute e i = s ID i c + x, send < e i , c i > to A, and record (e i , c i , ID i , µ i ) in the list L S .Here, A can execute this query with enough times q S about different identities {ID 1 , ID 2 , . . ., ID q S } and different messages {µ 1 , µ 2 , . . ., µ q S }.
With the same Hash function H 2 and message µ * , it has It also has instance as shown in the following Equation (9).
A(e * i − e * * i ) modq = 0 • Analyze: In the common sense, the lattice assumption is not solved with the current highest computing power.This implies that the hypothesis of the former adversary A is invalid.Meanwhile, from the former query processes, A can create a valid signature (e * i , c * i ) with the probability ξ q H 1 +q H 2 +q P +q S .With the query times q H 1 , q H 2 , q P , and q S increasing, this probability will decrease to 0.
Here, it completes this theme proof, and the proposed PQ-IDS can resist the forgery attack from the malicious adversary.

Non-Repudiation and Traceability
Digital signature plays a role in information protection in most current IoT network applications, and this PQ-IDS scheme utilizes the identity mechanism to achieve secure data exchange among different IoT devices.The proposed security model and PQ-IDS scheme co-guarantee the non-repudiation and traceability of the data-sharing processes in IoT networks.

•
Non-repudiation 1: The data-sharing transactions are all signed by related workers from the collection to processing and storage.These signatures are signed with the workers' private keys s ID i , and they can be verified by anyone with their public keys a ID i .So, the workers cannot deny when the signatures pass the verification.

•
Non-repudiation 2: The private key is generated by s ID i ← Samplepre(A, T, a ID i , σ) ∈ Z m q , and the user's public key is generated by a ID i = H 1 (ID i ) where the ID i is the personal identity, such as identity number, email address, phone number, etc.The personal information guarantees that the signature cannot be denied.

•
Traceability 1: This identity signature mechanism guarantees the traceability of IoT data exchange processes as the related workers will be traced by opening the corresponding signature when some security incidents occur.• Traceability 2: The blockchain technology provides an immutable public ledger for the records of IoT data storage and operational processes, which guarantees traceability for data sharing in different IoT networks.Once some disputes occur, it can find all the operation records and related operators by opening the signatures.

Post-Quantum Security
As in most current IoT network applications, the cryptographic algorithms inserted in different information systems are generally based on the classical mathematical difficult problems of discrete logarithms and large integer decomposition.These algorithms cannot provide security guarantees for IoT data sharing facing quantum attacks.However, the proposed PQ-IDS scheme in this paper can solve this problem, which is constructed with the lattice assumption as it has strong security against quantum attacks.Meanwhile, to guarantee the traceability of the IoT data-sharing process, this PQ-IDS scheme utilizes the identity mechanism to ensure that every data-processing record is signed with the corresponding operator's signature.Based on this PQ-IDS scheme, the IoT network applications will have strong security in the future quantum computer age.

Comparison and Performance
IoT network applications need more efficient algorithms with high computing power and low power consumption.The performance index is the ultimate goal of algorithm design.The efficiency comparison and performance evaluation are given in the following two subsections.

Efficiency Comparison
Key size is the essential item to show the efficiency and practicability of the proposed lattice-based IDS, which also influences the transaction execution in blockchain-based IoT network applications.This section selects five main items of mpk, msk, pk, sk, and sig.for comparison, and Table 3 gives the result.For the mpk of the IoT network, the key sizes with the vector form in Refs.[34,35] are smaller than those with matrix form in Ref. [33] and the proposed IDS.The key sizes of mpk, msk, pk, sk, and sig. in the proposed IDS scheme are equal to or less than those in the other three schemes.These comparison results show that this lattice-based IDS scheme has obvious advantages of efficiency and practicability for data sharing in IoT network applications.Smaller key size leads to more efficient data and transaction verification processes, which is suitable for data sharing in different IoT network applications.Along with the developments of edge computing ability and quantum technology, post-quantum algorithms for IoT network applications will be increasingly in demand.

Performance Evaluation
The performance evaluations are executed on a Windows 11 desktop with Intel Core i7-9700 CPU 3.2 GHz and 16 GB RAM.
(1) Key size evaluation Firstly, the system parameters have been unified.The system parameters are set as n = 256, q = 2 23 , m = 3545, which are equal to the 80-bit security level.The key size comparisons of mpk, msk, pk, and sk with 80-bit security are shown in Figure 4, and the results show that this PQ-IDS scheme is less than or equal to those in the other three schemes.Meanwhile, the signature size comparisons with 80-bit and 192-bit security levels are given as shown in Figure 5. Here, the system parameters are set as n = 256, q = 2 27 , m = 7807, which are equal to the 192-bit security level.The results show that the signature size of the proposed PQ-IDS scheme is no more than that in the other three schemes, and it also shows that the proposed PQ-IDS scheme has good applicability and efficiency for data sharing in different IoT network applications.These results also prove the former theory analyses in Section 5.1.Although the key size of mpk is not small, it can provide a strong security level for IoT network applications facing quantum attacks, and it also can be pre-generated to alleviate the consumption of key generation.
(2) Transaction performance for IoT data sharing Under the former stated performance environment, the performance for IoT datasharing transactions has been given.Here, the throughput and latency are selected for performance, which are the main items for blockchain transactions.Meanwhile, these two items will influence the transaction efficiency.As shown in the following Figures 6 and 7, the performance results of these two items in relation to the "CreateAccount", "Query", and "Transaction" are presented.Note that the performance results are the average level of 10 times cross-chain transaction performance, which can eliminate errors from different simulations of the system.From the results, the user registrations have low latency and high throughput, and the establishment transaction amounts remain stable with the number increasing.However, the query times of cross-chain transaction originations have high latency and low throughput compared with the other two items because the IoT datasharing transactions need high frequency and large quantity.Above performance evaluations show that the proposed security model is more efficient and practical for data-sharing in IoT network applications, and the proposed PQ-IDS scheme can well support the protection of system data and user privacy.

Conclusions
Facing security issues in IoT network applications, this paper introduces a PQ-IDS scheme to guarantee data-sharing security among IoT devices in different layers of the IoT network.An IoT network security model is designed first, which divides the IoT network applications into three layers and states the security issues.Meanwhile, a PQ-IDS scheme with lattice assumption has been proposed, which guarantees IoT data-sharing security in the current or future quantum computer age.The identity-based signature mechanism can also provide a traceability mechanism for IoT node failure.Then, the security analysis shows that this PQ-IDS can obtain the security properties of unforgeability, non-repudiation, traceability, and post-quantum security.Moreover, the efficiency comparisons show that the proposed PQ-IDS scheme has smaller key sizes than other schemes, and the transaction performances show that the proposed IoT network security model has good properties.These evaluation results show that the proposed PQ-IDS is efficient and practical for IoT network applications.
The key size of mpk is bigger than that in NTRU-based lattice cryptography, so it is one research purpose to reduce the key size to satisfy the demands of high throughput and low computing power of IoT devices.Meanwhile, as the number of IoT devices increases and the scale of the network increases, the refined control of the access rights and capabilities of different device subjects is an important guarantee for the privacy protection of IoT data and system users.Therefore, access control in a more fine-grained way will be considered more for secure data sharing among different IoT devices or IoT networks in future work.

Figure 1 .
Figure 1.Security issues for IoT network.

Figure 2 .
Figure 2. IoT network security model.•Perceptuallayer: This layer is a data collection process.From different smart IoT devices, many types of data are selected.These data mainly appear in text, figure, and video forms.As in the IoMT environment, the medical data generally contain health data collected from wearable smart devices, diagnosis data created by patients and doctors, testing data generated by medical devices, and other related data about health insurance, banking, etc.In the Home IoT environment, the data are collected from smart home devices, such as door locks, cameras, refrigerators, washing machines, sweepers, smart speakers, air purifiers, etc.As in the IoV environment, the data are collected from smart vehicles, road detection, cameras, traffic lights, etc.In the IIoT environment, the data are collected from logistics trucks, wind-generating sets, and other related industrial devices.These collected data are signed with the signatures of

e 1 : 4 . 4
The user ID i randomly selects x ∈ D m σ ; 2: Computes c = H 2 (Ax, µ); 3: Computes e = s ID i c + x; 4: Output the signature < e, c > with probability min( D m σ (e) M 2 D m Sµ,σ (z) , 1); otherwise, restart.Verify(pp, µ, a ID i , < e, c >): The verifier utilizes the system parameter pp and pk = a ID i to verify the legality of < e, c > in relation to message µ.Details of this algorithm are presented in Algorithm Algorithm Verify Input: µ, a ID i , and < e, c > Output: Reject or accept 1: if ||e|| > L then 2:

Figure 3 .
Figure 3. Data-sharing transaction through the blockchain-based IoMT.• Data collection: Through smart medical devices, the daily health data and hospital test data are collected and uploaded to the IoMT system.To establish a traceability mechanism, the medical data are labeled with the signatures of related IoMT devices or operators.• Data storage: In the blockchain-based IoMT system, the real data are stored in the native server.The storage address, operation records, and other related lightweight information are uploaded into the blockchain ledger.• Transaction request: When one patient wants to authorize the doctor to view their health data, they execute a transaction request.This situation is a process of seeing a doctor or scientific research as one user attempts to share data with the other system user.This transaction only sends authorization for these data and the target user must pass this authentication before they can access control on the real medical data.• Transaction signature: Based on the former proposed PQ-IDS scheme, this patient signs the transaction with their private key sk.This signature is a proof that other users confirm the data's validity by opening it.Meanwhile, this patient cannot deny this signature when some medical disputes occur.• Transaction verification: This is the process of verifying the consistency of blockchain transactions across the network.The packaged transactions are sent to the verification nodes who check the legality of the transactions and sign them.The verification process is according to the consensus protocol proof of work (PoW) or proof of stake (PoS).• Transaction Broadcast: The verified transactions will be broadcast to all the nodes in the IoMT network.This process mainly synchronizes the ledger across the network, but it also needs to obtain the access control rights of the real data before the target user can view the original data.• Transaction storage: These transaction data belong to lightweight information, which is recorded in the blockchain ledger.This blockchain ledger is public and immutable, guaranteeing the transaction data's security and traceability.• Signature verification: The target user (doctor) first verifies the signature of the transaction originator.• Data utilization: These medical data can be used for disease diagnosis, drug discovery, medical research, and medical device development.

Table 1 .
Cryptographic algorithm comparisons for IoT network.

•
Forge: A utilizes the former received information to generate a valid signature (e * i , c * i ) about the target user ID * i and message µ * .Then, they send this forged signature (e * i , c * i ) to C. • Challenge: C utilizes the forking lemma to generate the other valid signature (e * * i , c * i ) about the target user ID * i and message µ * .Here, C utilizes the same selected x ∈ D m σ .Then, it has c Because of ||e* i || ∝ , ||e * * i || ∝ ≤ q/4, it has ||e * i − e * * i || ∝ ≤ q/2with overwhelming probability.Hence, it can derive a solution v = e * i − e * * i (||v|| ∝ ≤ β) for Z − SIS κ

Table 3 .
Key size comparison.